xref: /freebsd/contrib/openbsm/man/audit_user.5 (revision bc168a6cdd45ba809a5580b6e67ebc6806b5aeb3)
1ca0716f5SRobert Watson.\" Copyright (c) 2004 Apple Computer, Inc.
2ca0716f5SRobert Watson.\" All rights reserved.
3ca0716f5SRobert Watson.\"
4ca0716f5SRobert Watson.\" Redistribution and use in source and binary forms, with or without
5ca0716f5SRobert Watson.\" modification, are permitted provided that the following conditions
6ca0716f5SRobert Watson.\" are met:
7ca0716f5SRobert Watson.\" 1.  Redistributions of source code must retain the above copyright
8ca0716f5SRobert Watson.\"     notice, this list of conditions and the following disclaimer.
9ca0716f5SRobert Watson.\" 2.  Redistributions in binary form must reproduce the above copyright
10ca0716f5SRobert Watson.\"     notice, this list of conditions and the following disclaimer in the
11ca0716f5SRobert Watson.\"     documentation and/or other materials provided with the distribution.
12ca0716f5SRobert Watson.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
13ca0716f5SRobert Watson.\"     its contributors may be used to endorse or promote products derived
14ca0716f5SRobert Watson.\"     from this software without specific prior written permission.
15ca0716f5SRobert Watson.\"
16ca0716f5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
17ca0716f5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18ca0716f5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19ca0716f5SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
20ca0716f5SRobert Watson.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21ca0716f5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22ca0716f5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23ca0716f5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24ca0716f5SRobert Watson.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25ca0716f5SRobert Watson.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26ca0716f5SRobert Watson.\" POSSIBILITY OF SUCH DAMAGE.
27ca0716f5SRobert Watson.\"
28bc168a6cSRobert Watson.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#12 $
29ca0716f5SRobert Watson.\"
3023bf6e20SRobert Watson.Dd February 5, 2006
31ca0716f5SRobert Watson.Dt AUDIT_USER 5
32ca0716f5SRobert Watson.Os
33ca0716f5SRobert Watson.Sh NAME
34ca0716f5SRobert Watson.Nm audit_user
35bc168a6cSRobert Watson.Nd "events to be audited for given users"
36ca0716f5SRobert Watson.Sh DESCRIPTION
37ca0716f5SRobert WatsonThe
38ca0716f5SRobert Watson.Nm
39ca0716f5SRobert Watsonfile specifies which audit event classes are to be audited for the given users.
40ca0716f5SRobert WatsonIf specified, these flags are combined with the system-wide audit flags in the
41bc168a6cSRobert Watson.Xr audit_control 5
42ca0716f5SRobert Watsonfile to determine which classes of events to audit for that user.
43ca0716f5SRobert WatsonThese settings take effect when the user logs in.
44ca0716f5SRobert Watson.Pp
45ca0716f5SRobert WatsonEach line maps a user name to a list of classes that should be audited and a
46ca0716f5SRobert Watsonlist of classes that should not be audited.
4723bf6e20SRobert WatsonEntries are of the form:
4823bf6e20SRobert Watson.Pp
49bc168a6cSRobert Watson.D1 Ar username Ns : Ns Ar alwaysaudit Ns : Ns Ar neveraudit
5023bf6e20SRobert Watson.Pp
5123bf6e20SRobert WatsonIn the format above,
52bc168a6cSRobert Watson.Ar alwaysaudit
53ca0716f5SRobert Watsonis a set of event classes that are always audited, and
54bc168a6cSRobert Watson.Ar neveraudit
55ca0716f5SRobert Watsonis a set of event classes that should not be audited.
56ca0716f5SRobert WatsonThese sets can indicate
57ca0716f5SRobert Watsonthe inclusion or exclusion of multiple classes, and whether to audit successful
58ca0716f5SRobert Watsonor failed events.
59ca0716f5SRobert WatsonSee
60ca0716f5SRobert Watson.Xr audit_control 5
61ca0716f5SRobert Watsonfor more information about audit flags.
62ca0716f5SRobert Watson.Pp
63ca0716f5SRobert WatsonExample entries in this file are:
64ca0716f5SRobert Watson.Bd -literal -offset indent
65ca0716f5SRobert Watsonroot:lo,ad:no
66ca0716f5SRobert Watsonjdoe:-fc,ad:+fw
67ca0716f5SRobert Watson.Ed
68ca0716f5SRobert Watson.Pp
6923bf6e20SRobert WatsonThese settings would cause login/logout and administrative events that
70bc168a6cSRobert Watsonsucceed on behalf of user
71bc168a6cSRobert Watson.Dq Li root
72bc168a6cSRobert Watsonto be audited.
73ca0716f5SRobert WatsonNo failure events are audited.
74ca0716f5SRobert WatsonFor the user
75bc168a6cSRobert Watson.Dq Li jdoe ,
76ca0716f5SRobert Watsonfailed file creation events are audited, administrative events are
77ca0716f5SRobert Watsonaudited, and successful file write events are never audited.
78bc168a6cSRobert Watson.Sh IMPLEMENTATION NOTES
79bc168a6cSRobert WatsonPer-user and global audit preselection configuration are evaluated at time of
80bc168a6cSRobert Watsonlogin, so users must log out and back in again for audit changes relating to
81bc168a6cSRobert Watsonpreselection to take effect.
82bc168a6cSRobert Watson.Pp
83bc168a6cSRobert WatsonAudit record preselection occurs with respect to the audit identifier
84bc168a6cSRobert Watsonassociated with a process, rather than with respect to the UNIX user or group
85bc168a6cSRobert WatsonID.
86bc168a6cSRobert WatsonThe audit identifier is set as part of the user credential context as part of
87bc168a6cSRobert Watsonlogin, and typically does not change as a result of running setuid or setgid
88bc168a6cSRobert Watsonapplications, such as
89bc168a6cSRobert Watson.Xr su 1 .
90bc168a6cSRobert WatsonThis has the advantage that events that occur after running
91bc168a6cSRobert Watson.Xr su 1
92bc168a6cSRobert Watsoncan be audited to the original authenticated user, as required by CAPP, but
93bc168a6cSRobert Watsonmay be surprising if not expected.
94ca0716f5SRobert Watson.Sh FILES
95bc168a6cSRobert Watson.Bl -tag -width ".Pa /etc/security/audit_user" -compact
96ca0716f5SRobert Watson.It Pa /etc/security/audit_user
97ca0716f5SRobert Watson.El
98ca0716f5SRobert Watson.Sh SEE ALSO
99bc168a6cSRobert Watson.Xr login 1 ,
100bc168a6cSRobert Watson.Xr su 1 ,
101bc168a6cSRobert Watson.Xr audit 4 ,
102bc168a6cSRobert Watson.Xr audit_class 5 ,
103bc168a6cSRobert Watson.Xr audit_control 5 ,
104bc168a6cSRobert Watson.Xr audit_event 5
105bc168a6cSRobert Watson.Sh HISTORY
106bc168a6cSRobert WatsonThe OpenBSM implementation was created by McAfee Research, the security
107bc168a6cSRobert Watsondivision of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
108bc168a6cSRobert WatsonIt was subsequently adopted by the TrustedBSD Project as the foundation for
109bc168a6cSRobert Watsonthe OpenBSM distribution.
110ca0716f5SRobert Watson.Sh AUTHORS
111bc168a6cSRobert Watson.An -nosplit
112ca0716f5SRobert WatsonThis software was created by McAfee Research, the security research division
113ca0716f5SRobert Watsonof McAfee, Inc., under contract to Apple Computer Inc.
114bc168a6cSRobert WatsonAdditional authors include
115bc168a6cSRobert Watson.An Wayne Salamon ,
116bc168a6cSRobert Watson.An Robert Watson ,
117bc168a6cSRobert Watsonand SPARTA Inc.
118ca0716f5SRobert Watson.Pp
119ca0716f5SRobert WatsonThe Basic Security Module (BSM) interface to audit records and audit event
120ca0716f5SRobert Watsonstream format were defined by Sun Microsystems.
121